Security

Uploaded documents should be stored in private object storage, not as database blobs.

Files should be downloaded through signed temporary URLs rather than public file links.

Users access data through their current workspace. Staff roles should be used to limit who can manage clients, documents, settings, and billing.

Public upload links can expire, be disabled, limit file size and type, and be rate limited to reduce abuse.

Upload events should be logged so teams can see when proof was received.

Security headers, login throttling, file validation, activity logs, backups, and private buckets all reduce risk.

Admin 2FA and stronger policy controls may be added as the product matures.

If you believe you have found a security issue, contact hello@complychase.ai with enough detail for us to investigate.